So this was pretty easy. This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones...). But I then tried to figure out how Nessus was able to find this vulnerability and this is where I hit a wall...

Does this nmap output tells you something like: "That's obviously a ms08_067_netapi vulnerability that we have here!". For me, without Nessus, I would have never tried this exploit...

So what approach do you guys use? Do you have a set of very powerful exploits that you try at targets that simply match the OS and maybe a port? Or is there some voodoo that you can do to go from this nmap output to this exploit?

I think the clues to try this exploit are the OS and that port 445 is open.

That Metasploit link you posted shows the OS in the vulnernable OS list. Plus, the RHOST lines defaults to 445 [SMB service port. (side question: Is this port configurable if you're setting up the network in a production environment?)].

I'm not a pentester by day though, just from what I've gathered in my own lab awhile back when messing with that exploit.

Last edited by lorddicranius on Thu Jan 10, 2013 8:06 pm, edited 1 time in total.

Whenever I see 445 open and the box is XP ish... I always look for 08-067.

To know how the scanner checks for this particular vulnerability you can look at the details of the vulnerability to learn how its triggered. In this case, I cheated and looked at smb-check-vulns.nse, which is an nmap script.

On line 130 of the script you see "---Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an -- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then -- you're safe (for now). "

In the code you see what he does to check for 08-067 and it begins to makes sense...

@cd1zz: I have read the nse script and you are right, it is very obvious when you cheat!

From lorddicranius:

I think the clues to try this exploit are the OS and that port 445 is open.

From cd1zz:

Whenever I see 445 open and the box is XP ish... I always look for 08-067.

That's what I was thinking. If you don't have access to a vulnerability scanner, but only nmap without the .nse scripts, it's pretty tough to find an exploit unless you have already used it or seen it before.

In my original post, I mentioned:

This host was so full of holes that I could have probably used many other exploits (Nessus found 22 red ones...)

So let's say MS08-067 is patched and you can't use Nessus, OpenVAS, or any nmap scripts. The approach has to be that, based on experience, you would do like Grendel mentioned and first look at the OS, the open ports and the services fingerprints.

But still, for example, it's one thing to see that Apache 1.2.3 is running an find an exploit for it (quite easy), but in my example above, you have to know about it...

So here's what I will do from now on: use these vulnerability scanners in the lab and whenever I can to find the vulnerabilities, but instead of just running the corresponding exploit and forget about it, I will take very, very good notes and add it to my toolbox.

Again, other than when the service is very well documented (like in my Apache 1.2.3 example), I am just afraid of the times when I won't be able to use a scanner. Getting something like this:

Code:

OS: Microsoft Windows 2003 SP2

PORT STATE SERVICE VERSION------------------------------------------------------------------1035/tcp open msrpc Microsoft Windows RPC

I like the way you think H1t M0nk3y! It's one thing to scan and assume but a whole other thing to test beyond that of the scanner. Sometimes a scanner like Nessus may just guess at the vulnerability by factoring what it does know. But other times it sends test data, I've personally seen this when I ran it against some public facing Web App servers. I turned on the Web App Testing setting and then reviewed the results. Basically it did the quick tests for XSS and SQLi where appropriate. Not enough to break anything but, like nmap, just a quick sample request to see if the vulnerability exists. Other results you see it makes its decision based on OS, service version etc..

Then you're going to need to obtain as much information about the system and services as you can and do some research at the National Vulnerability Database, Open Source Vulnerability Database, ExploitDB, within Metasploit, Google, etc. You might not be able to pinpoint an exact match and will have to take a trial-and-error approach with several potential exploits.